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CLAIMS 

1 . \ A method of proving entity membership in a nested group, wherein a presenter of 
^credentials performs the step of presenting to a recipient of credentials one or more chains 
of group credentials. 

2. Tme method of claim 1, wherein one of said chains of group credentials comprise 
one or more proofs of group membership. 

3. The method of claim 2, wherein said proofs of group membership comprise one or 
more group membership certificates. 

4. The method of claim 2, wherein said proofs of group membership comprise one or 
more group membership lists. 

5. The method of claim 1, wherein one of said chains of group credentials comprise 
one or more proofsyof group non-membership. 

6. The method oY claim 5, wherein said proofs of group non-membership comprise 
one or more group nonrmembership certificates. 

7. The method of claim 5, wherein said proofs of group non-membership comprise 
one or more group membership lists. 

8. The method of claim I , wherein said recipient is a resource server. 

9. The method of claim 1, wherein said recipient is an on-line group server. 

10. The method of claim 1, wherein said recipient is an on-line revocation server. 
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1 1 . The method of claim 1 , wherein s/aid recipient is a client. 



12. A method of proving entity non 
senter of credentials performs the step o 
more chains of group credentials. 



membership in a nested group, wherein a pre- 
f presenting to a recipient of credentials one or 



13. The method of claim 12, wherei i one of said chains of group credentials comprise 
one or more proofs of group membership. 



14. The method of claim 13, where ji: said proofs of group membership comprise one 
or more group membership certificates'. 

15. The method of claim 13, wherpin said proofs of group membership comprise one 
or more group membership lists. 



16. The method of claim 12, whefrein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

1 7. The method of claim 1 6, wherein said proofs of group non-membership comprise 
one or more group non-membership certificates. 



18. The method of claim 16, wherein said proofs of group non-membership comprise 
one or more group membership lists. 

19. The method of claim 12, wherein said recipient is a resource server. 

20. The method of claim 12, \ therein said recipient is an on-line group server. 
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1 21 . The method of claim 12, wherein said recipient is an on-line revocation server. 

i 22. The method of claim 12, wherein said recipient is' a client. 

1 23 . A computer system wherein a presenter of credentials presents to a recipient of 

2 credentials one or more chains of group credentials torprove entity membership in a 

3 nested group. 

1 24. The system of claim 23, wherein one of saia f chains of group credentials comprise 

2 one or more proofs of group membership. 



i-3. 



: 5 s 



25. The system of claim 24, wherein said propfs of group membership comprise one 
or more group membership certificates. 

26. The system of claim 24, wherein said j/r&ofs of group membership comprise one 
or more group membership lists. 



1 27. The system of claim 23, wherein one/of said chains of group credentials comprise 

2 one or more proofs of group non-membership. 

1 28. The system of claim 27, wherein said proofs of group non-membership comprise 

2 one or more group non-membership certificates. 



1 29. The system of claim 27, wherein spid proofs of group non-membership comprise 

2 one or more group membership lists. 



i 30. The system of claim 23, wherein 



i 31. The system of claim 23, wherein 



said recipient is a resource server. 



said recipient is an on-line group server. 
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i 32. The system of claim 23, wherein said recipient is an on-line revocation server. 

i 33. The system of claim 23, wherein said recipient is a client. 

1 34. A computer system wherein a presenter yf credentials presents to a recipient of 

2 credentials one or more chains of group credentials to prove entity non-membership in a 

3 nested group. 

1 35. The system of claim 34, wherein one of said chains of group credentials comprise 

2 one or more proofs of group membership. 

1 36. The system of claim 35, wherein paid proofs of group membership comprise one 

2 or more group membership certificates. 

1 37. The system of claim 35, wherein said proofs of group membership comprise one 

2 or more group membership lists. 

i 38. The system of claim 34, wherein one of said chains of group credentials comprise 



! «y 2 one or more proofs of group non/membership. 

1 39. The system of claim 38, wherein said proofs of group non-membership comprise 

2 one or more group non-membership certificates. 

1 40. The system of claim 38, wherein said proofs of group non-membership comprise 

2 one or more group membership lists. 

i 41 . The system of cflaim 34, wherein said recipient is a resource server. 



V 
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5 1 . The method of claim 49, wherein said proofs of gro^^on-membership comprise 
one or more group membership lists. 

52. A method of operating a client device on a computer network, said client device 
requesting a service from a server and performing thje steps of: 

A. obtaining one or more chains of group (Credentials to prove client non- 
membership in a nested group, and 

B. presenting to the server a request for^he service, said request including the 
chains of group credentials. 

"~2. The method of claim 52, wherein orp of said chains of group credentials comprise 
one or more proofs of group membership^ 

54. The method of claim 53, wherein said proofs of group membership comprise one 
or more group membership certificates. 

55. The method of claim 53, yherein said proofs of group membership comprise one 
or more group membership listsj 

56. The method of claim 52, wherein one of said chains of group credentials comprise 
one or more proofs of group non-membership. 

57. The method of claim 56, wherein said proofs of group non-membership comprise 
one or more group non-mmibership certificates. 



58. The method of claim 56, wherein said proofs of group non-membership comprise 
one or more group membership lists. 
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59. A client device on a computer network requesting a service from a server, said 
client device comprising: 

A. means for obtaining one or mjbre chains of group credentials to prove client 
membership in a nested group, and 

B. means for presenting to thef server a request for the service, said request in- 
cluding the chains of group credentials. 

60. The client device of claim 59j wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 



61. The client device of claim/60, wherein said proofs of gro T :p membership comprise 
one or more group membership certificates. 

62. The client device of claim 60, wherein said proofs of group membership comprise 
one or more group membership* lists. 

63. The client device of claim 59, wherein one of said chains of group credentials 
comprise one or more proofs iof group non-membership. 

64. The client device of /claim 63, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 

65. The client device 6f claim 63, wherein said proofs of group non-membership 
comprise one or more group membership lists. 



66. A client device on a computer network requesting a service from a server, said 
client device comprising: 

A. means for obtaining one or more chains of group credentials to prove client 
non-membership in a nested group, and 
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B. means for presenting to the server a request for the ^ervice, said request in- 
cluding the chains of group credentials. 

67. The client device of claim 66, wherein one of said cjhains of group credentials 
comprise one or more proofs of group membership. 

68. The client device of claim 67, wherein said proofs of group membership comprise 
one or more group membership certificates. 

69. The client device of claim 67, wherein saidyproofs of group membership comprise 
one or more group membership lists. 

70. The client device of claim 66, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

71 . The client device of claim 70, wherein said proofs of group non-membership 
comprise one or more group non-membe/ship certificates. 

72. The client device of claim 70, ywherein said proofs of group non-membership 
comprise one or more group membership lists. 

73. A method for operating a resource server on a computer network, said resource 
server controlling access to one/fcr more resources by a plurality of client devices and per- 
forming the steps of: 

A. accepting resource access requests from the client devices, each request com- 
prising one or more chains/of group credentials proving client membership in a nested 
group, 

B. validating thd chains of group credentials, and 

C. if the chains' of group credentials are valid, authorizing the requested access. 
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1 89. The resource server of claim 88, wherein said proofs/)f group membership com- 

2 prise one or more group membership certificates. 

1 90. The resource server of claim 88, wherein said propfs of group membership com- 

2 prise one or more group membership lists. 

1 91 . The resource server of claim 87, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

i 92. The resource server of claim 91 , wherein said proofs of group non-membership 

q 2 comprise one or more group non-membership certificates. 



s 



1 93. The resource server of claim 91, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 



1 94. A resource server on a cofnputer network controlling access to one or more re- 

2 sources by a plurality of client devices, said resource server comprising: 

3 A. means for accepting resource access requests from the client devices, each re- 

4 quest comprising one or more chains of group credentials proving client non-membership 

5 in a nested group, / 

6 B. means for validating the chains of group credentials, and 

7 C. if the chaiijs of group credentials are valid, means for authorizing the re- 

8 quested access. 



1 95. The resource server of claim 94, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 
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1 96. The resource server of claim 95, wherein said proofs of group Membership com- 

2 prise one or more group membership certificates. 

1 97. The resource server of claim 95 3 wherein said proofs o^group membership com- 

2 prise one or more group membership lists. 



1 98. The resource server of claim 94, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membershijp. 



1 99. The resource server of claim 98, whereiri^saad proofs of group non-membership 

2 comprise one or more group non-membership^certificates. 



100. The resource server of claim 98yfrhp , ein said proofs of group non-membership 
comprise one or more group membership /ists. 



1 101. A computer data signal emoopied in a carrier wave and representing a sequence of 

2 instructions that, when executed/by a processor in a network device requesting a service 

3 from a server, configures the n^tvwrk device to operate as a client device that: 

4 A. obtains one or mor^chains of group credentials to prove client membership in 

5 a nested group, and 

6 B. presents to the/s6rver a request for the service, said request including the 

7 chains of group credentials. 



1 102. The computeraiata signal of claim 101, wherein one of said chains of group cre- 

2 dentials comprise one or more proofs of group membership. 

1 103. The computer data signal of claim 102, wherein said proofs of group membership 

2 comprise one on more group membership certificates. 
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112. The computer data signal of claim 108, wherein one of s^fid chains of group cre- 
dentials comprise one or more proofs of group non-members! 

113. The computer data signal of claim 112, wherein said proofs of group non- 
membership comprise one or more group non-member^up certificates. 

114. The computer data signal of claim 112, wherj(n said proofs of group non- 
membership comprise one or more group membership lists. 

115. A computer data signal embodied in a carrier wave and representing a sequence of 
*«st$KCtions that, when executed by a processor in a network device controlling access to 
one or more resources by a plurality of client devices, configures the network device to 
operate as a resource server that: 

A. accepts resource access requests from the client devices, each request com- 
prising one or more chains of group credentials proving client membership in a nested 



group, 



B. validates the chains of g^oup credentials, and 

C. if the chains of group credentials are valid, authorizes the requested access. 



116. The computer data signal of claim 115, wherein one of said chains of group cre- 
dentials comprise one or more proofs of group membership. 



117. The computer data signal of claim 116, wherein said proofs of group membership 
comprise one or more group membership certificates. 



118. The computer data' signal of claim 1 16, wherein said proofs of group membership 
comprise one or more group membership lists. 
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1 119. The computer data signal of claim 115, wherein one of said/chains of group cre- 

2 dentials comprise one or more proofs of group non-membership 



// 



1 120. The computer data signal of claim 1 19, wherein said/proofs of group non- 

2 membership comprise one or more group non-membership certificates. 

1 121 . The computer data signal of claim 1 19, wherein said proofs of group non- 

2 membership comprise one or more group membership lists. 



■'S3,' 



122. A computer data signal embodied in ^carrier wave and representing a sequence of 
instructions that, when executed by a proce/sor in a network device controlling access to 
one or more resources by a plurality of client devices, configures the network device to 
operate as a resource server that: 

A. accepts resource access requests from the client devices, each request com- 
prising one or more chains of group Credentials proving client non-membership in a 
nested group, 

B. validates the chains otfgroup credentials, and 

C. if the chains of group credentials are valid, authorizes the requested access. 



1 123. The computer data sigpal of claim 122, wherein one of said chains of group cre- 

2 dentials comprise one or more proofs of group membership. 



1 124. The computer datafjignal of claim 123, wherein said proofs of group membership 

2 comprise one or more grmip membership certificates. 



i 125. The computer dita signal of claim 123, wherein said proofs of group membership 
compose one or more gijoup membership lists. 
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1 126. The computer data signal of claim 122, wherein one of said chains of group cre- 

2 dentials comprise one or more proofs of group non-membership. 

1 127. The computer data signal of claim 126, wherein/said proofs of group non- 

2 membership comprise one or more group non-membeysnip certificates. 

1 128. The computer data signal of claim 126, wherein said proofs of group non- 

2 membership comprise one or more group membership lists. 
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